Replace/Renew a digital certificate best practices?

Document ID : KB000016065
Last Modified Date : 14/02/2018
Show Technical Document Details

Is there a best approach to replacing or renewing digital certificates?


We have a number of certificates generated by Top Secret and signed by a CA that we have loaded into Top Secret which are due to expire in the near future. After looking in the manual, we need some further guidance as to what is the best approach.




There are a couple of approaches.

1. Backup the old certs to datasets, delete the certs, add new certs.
2. Keep the old certs, add new certs with different unique names, remove the old certs from keyring and add the new certs to the keyring. Since you dont delete anything, you can put it back easily.
3. Use the TSS RENEW command, but can only be used against certs created by CA Top Secret and not a 3rd party Certificate Authority.
4. Use TSS REKEY/ROLLOVER if the new certificate needs to added to many keyrings.

There are benefits to each approach.
1 Is easiest to do, but backing out is not as easy as 2.
2 Is second easiest to do administratively but easiest to backout.
3 Quickest method to renew but the certs must be created by CA Top Secret.
4. Hardest to backout but easiest if you have thousands of keyrings you need to add the certifciate to. If you dont have thousands of keyrings and only have a few keyrings, 1 or 2 is a easier/better option.